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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
our privacy notice 


Q1 Is the draft code clear and easy to understand? 


Yes 
No 


Whilst the language of the draft Code is generally clear and easy to read, some 
of the wording lacks certainty which makes it difficult to apply in practice. For 
example, there are a number of instances where the draft Code uses the word 
“unlikely”. Whilst we appreciate that it is impossible for the draft Code to provide 
categorical guidance on every issue, the use of such wording makes it difficult 
for readers to interpret and apply. For example, the section on profiling on page 
58 of the draft Code states that “It is unlikely that you will be able to apply 
legitimate interests for intrusive profiling for direct marketing purposes”. This 
does not provide clarity on when legitimate interests may or may not be relied 
upon for profiling activities, or indeed on what might constitute “intrusive” 
practices. Conversely, the section on targeting customers or supporters on 
social media on page 90 provides that “It is likely that consent is the appropriate 
lawful basis for this processing [custom audiences]”. It is not however clear 
whether this will always been the case, or on what basis this assessment has 
been made. 


The section “What are direct marketing purposes?” (on page 14 of the draft 
Code) states that ‘direct marketing purposes’ are wider than the act of sending 
direct marketing communications, and that if the ultimate aim is to send direct 
marketing, then all processing activities which lead up to or support sending 
those communications constitutes processing for direct marketing purposes. We 
believe that this section is potentially confusing to readers, as it could be 
interpreted to mean that consent is required for each of these processing 
activities (when in fact it may be possible to rely on an alternative legal basis). 


Bates Wells regularly advises charities and not-for profit organisations on 
compliance with direct marketing rules in relation to their fundraising and 
campaigning activities. It is of course well established that the promotion of a 
charity's aims and ideals will constitute direct marketing. We do however have 
concerns that the draft Code’s wording around the difference between a “service 
message” and “direct marketing” communication is an overly restrictive 
interpretation of the law which could have a significant impact on the way in 
which charities can develop relationships with their donors and maximise funds. 
For example, charities donors that they can increase the value of their donation 
by making a gift aid declaration. In addition, charities will often wish to thank a 
donor for a donation, or get in touch with supporters who have signed up to take 
part in charity challenge events to provide them with details of the event and 
how they can prepare etc. Clearly the content and tone of the message will be a 
key factor in determining whether such communications constitute direct 
marketing, but the wording on pages 19-20 of the draft Code could lead charities 
to believe that all such communications are direct marketing for which they 
require consent to send (where they send electronic communications). This 
could have a significant negative impact on charities. 


We also have significant concerns in respect of elements of the section of the 
draft Code entitled “Can public sector communications be direct marketing?” on 
pages 21-22. The ICO again seems to be interpreting what constitutes direct 


marketing very broadly, for example, capturing messages from GPs inviting 
patients to a healthy eating event or informing patients that they can receive a flu 
vaccination. Such communications are not sent with the purpose of promoting 
the GP’s services, but rather protecting and improving public health. Making it 
more burdensome to send such messages (particularly at the moment) seems to 
be at odds with the spirit of the legislation. 


- The Code would help organisations if it provided examples of the evidence that 
an organisation is expected to demonstrate in considering the fairness or 
intrusiveness of their direct marketing practices. For instance, would the ICO 
consider reports of customer/ supporter focus groups or results of a survey of 
customers/ supporters asking them about their views on the level of marketing 
engagement. 


- At pages 96-97 of the Code there is discussion about the use of location data in 
the context of direct marketing. It would be helpful to provide examples to 
distinguish the ICO’s comments on location data and when Regulation 14 PECR 
applies. 


- The sequencing and layout of the Code is clear and it is helpful having “At a 
glance” and “In more detail” sections as well as Example boxes to demonstrate 
key rules. The draft Code would however be much easier to read and reference 
if each section/ paragraph was numbered. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek toduplicate 
all our existing data protection and e-privacy guidance) 


x! Yes 
No 


If no please explain what changes or improvements you would like to 
see? 


Q3 Does the draft code cover the right issues about direct marketing? 


x] 


Yes 
No 


If no please outline what additional areas you would like to see 
covered: 


Generally we believe that the Code does cover the right issues about direct marketing. 
However, one key omission in respect of charities is the processing of data in respect of 
vulnerable donors. Charities and any professional fundraising agencies they engage with 
are under a legal obligation (under the Charities (Protection and Social Investment) Act 
2016), to protect vulnerable donors and supporters, for example by not enlisting overly 
intrusive fundraising techniques. Further rules around this are contained in the Code of 
Fundraising Practice from the Fundraising Regulator. Charities need to be able to record 
certain data about vulnerable or potentially vulnerable people so that they are able to treat 
such people appropriately (e.g. either to suppress direct marketing or to note that they may 
need extra support in order to donate etc.) Such information may, in some circumstances, 
be special category health data. Pages 38 and 39 of the draft Code cover the use of special 
category data for direct marketing. It states that in practice, the only available condition is 


explicit consent. Where a person is in a vulnerable circumstance it may not be possible for 
them to provide consent, or appropriate for the charity to ask for it. It would therefore be 
helpful to have some guidance from the ICO (either within the Code or separately) on 
whether there are any alternative legal bases that charities could rely upon to process data 
in these circumstances, for example, Article 9(2)(g) GDPR (Substantial Public Interest), as 
we know it is something that a number of charities grapple with. 


Another omission is the implications for buyers in a share or asset sale where they 
purchase an existing database of customer/ supporter details for direct marketing as part of 
the acquisition and intend to use the database to market for the same purposes. It would be 
useful for the ICO to set out the steps expected in such circumstances. 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


Yes 
No 


If no please outline what additional areas you would like to see covered: 


As mentioned, Bates Wells regularly advises charities and not-for-profit organistions. Given 
that charities are reliant on public funds and are subject to high levels of scrutiny and 
regulation, in our experience, charities often endeavor to implement good practice 
recommendations rather than comply with the minimum legal requirements. We therefore have 
concerns about the Good practice recommendation on page 31 in respect of the legal basis for 
sending direct marketing. This recommends that organisations get consent for all direct 
marketing regardless of whether PECR requires it or not. This is at odds with the ICO’s 
guidance on [insert link], which states that one legal basis is not necessarily superior to 
another. This recommendation could lead charities to believe that they should obtain consent 
for all direct marketing (even where it is not legally required, for example, direct mail, which a 
number of charities still rely heavily upon to raise funds or otherwise communicate with 
supporters). 


Charities also regularly receive support from companies who raise funds on behalf of the 
charity, for example via their customers and staff. We therefore have concerns about how the 
example on page 27 of the draft Code (which details a supermarket supporting a charity at 
Christmas by sending a marketing e-mail to its customers about the charity’s work) will work in 
practice. The supermarket is very unlikely to have obtained consent to send direct marketing 
about each charity it supports (as it will not be able to predict what charities it may partner with 
in the future). Often communications to customers are not “at the instigation” of the charity and 
are instead sent by the corporate as they wish to promote their CSR work/ charity of the year 
arrangements. This example therefore seems overly simplistic and does not cover the nuances 
of such arrangements. We are also unsure how the supermarket would screen against the 
charity's suppression list when the charity and supermarket are not sharing data, and such a 
requirement seems contrary to the principle of data minimization. 


The Example on page 100 relating to a charity selling its supporter database to another charity 
is not accurate as the Code of Fundraising Practice actually prohibits this practice without 
consent. Charities would therefore be in breach of the Code if they did this. It would be helpful 
if the draft Code could align with the Code of Fundraising Practice to avoid confusion. 


Q5 Is it easy to find information in the draft code? 


x! Yes 


No 


If no, please provide your suggestions on how the structure could be 
improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


x! Yes 


No 


If yes, please provide your direct marketing examples : 


- We think it would be helpful to include some good practice examples of how organisations can 
seek granular consent from individuals, as we know that it is an issues, which (particularly our 
charity clients) require advice on. Page 33 of the draft Code briefly mentions that the request 
for consent must cover the types of processing activity, and that where possible “you should 
provide granular consent options for each type of processing”. We interpret good practice in 
this area to be to seek consent to each different processing activity e.g. sending direct 
marketing by different channels such as e-mail and text, or profiling (where consent is the legal 


basis being relied upon). Confusion can however arise about how granular this needs to be i.e. 
is separate consent required to send different types of direct marketing e.g. requests for 
donations, information about events, campaigning materials etc.? We believe that providing tick 
boxes for every type of communication would be unnecessary and confusing, and that it is 
better practice to clearly explain what a person will receive within the consent statement so that 
they can make an informed decision about which channels they wish to receive direct 
marketing by. 


Q7 


Do you have any other suggestions for the direct marketing code? 


There is a typo on page 4 of the draft. The third line in the second paragraph within the 
“Profiling and data enrichment” section should read “there are additional rules in the GDPR...”. 


It is important to ensure that the draft Code aligns with and reflects the content of other ICO 
guidance, as well as other external Codes that contain rules on direct marketing, including the 
Fundraising Regulators Code of Fundraising Practice. 


11% of the examples within the draft Code relate to charities. This seems to be a 
disproportionate number given the range of organisations and businesses that undertake direct 
marketing and fact that non-charities have been responsible for the most flagrant breaches of 
PECR which have resulted in the most serious fines by the ICO. 


It would be useful to have a guide or separate checklist for SMEs, which may not have the 
same level or access to specialist advice or support in respect of their direct marketing 
practices as larger organisations. . 


About you 


Q8 Are you answering as: 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Please specify the name of your organisation: 


Bates Wells 


If other please specify: 


PO 


Q9 How did you find out about this survey? 


OWO Oo 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


Keys, fi) ea Se 


x] 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


Pd 


Thank you for taking the time to complete the survey 


ae eT ea MT ey gð 


